This page requires javascript.

Technical rationale

Outsourcing authentication

We are using an external service to provide hands-off authentication to increase the security of our application. The service is offered by ORCID. Some questions you may ask about this choice:

  • Why does the project not handle this on its own?

    Security is hard. We aren’t experts in the field. Leaving it to others makes more sense.

  • Why can’t I use my Google/Facebook/whatever account?

    Because they are commercial entities and we aren’t interested in assisting them achieve their business goals.

  • Why ORCID?

    Because it isn’t a business entity, and has garnered a lot of support from many academic institutions. Furthermore, ORCID allows you to control what information is included in your profile and who gets to see it. We would particularly point you to this page for an overview of ORCID’s guiding principles.

External authentication rationale - a deeper dive

A key part of the CGWP mandate is community engagement. As such, any member of the public that is interested in assisting in the development of CGWP is encouraged to get in touch with us to begin the process of becoming a contributor.

Part of the process is providing a method for contributors to log in to our site. In order to maintain the security of the site and the privacy of our contributors we concluded that there are two main options available to us: an in-house, locally managed system; or an external one.

Publishing a website makes it a target, and a much larger target when people can log in to it. To deal with this your security needs to be good. As already mentioned security is hard, and not our area of expertise, so it made sense to look outside for a solution. We considered using several different providers, including the various social media offerrings. We chose to avoid these solutions due to their fundamentally predatory nature.

We settled on using an external authentication system provided by ORCID. The non-commercial nature of ORCID, and the level of control they offer over profiles makes them an ideal provider from our perspective. That said, we encourage you to research ORCID and learn something about their organization. To be clear: there is no financial consideration at play here. No money or favours are exchanged.

This is a good spot to tell you what we know about you and the information we store. When you sign up we ask you to provide a user name (for display on the CGWP site), an email address, and your ORCID name and iD. We store these things in our database along with the level of responsibility you have been granted. Each time you sign in to CGWP we also store the time you signed in. We have no access to any private portions of your ORCID profile, including your password. Nor does ORCID have access to anything you do on the CGWP site - the only thing they might know is when you use their service to authenticate for a CGWP session.

When you first log in to CGWP with your ORCID iD you are asked if it’s OK for CGWP to access your ORCID Record. The only access CGWP has is the ability to ask ORCID to authenticate that you are who you claim to be. After that ORCID transmits your ORCID name and ORCID iD back to us. Note that this information is public even on the ORCID site.

External code resources

Writing all of the code is unnecessary when so many well-written libraries already exist. We consider a library to be worthy of use when it provides crucial functionality that is so complicated that we simply cannot write it ourselves or when the library is small, easily understood and writing our own version would be re-inventing the wheel.

This application utilizes several external javascript libraries to make the site more functional, including: